LEGAL / DOCUMENTATION
PERSONAL DATA MANAGEMENT POLICY
HUMANLD S.A.S., (hereinafter THE COMPANY), a commercial company duly incorporated under the laws of the Republic of Colombia and identified with NIT 901.538. 192, in compliance with the provisions of Law 1581 of 2012 which aims to develop the constitutional right of all people to know, update and rectify the information that has been collected about them in databases or files, and other rights, freedoms and constitutional guarantees referred to in Article 15 of the Political Constitution of 1991; as well as the right to information enshrined in Article 20 of the same law; and the regulatory decree number 1074 of 2015, which regulate the protection of personal data and establish the legal guarantees that all people in Colombia must comply with for the due treatment of such information, develops the following policies for the treatment of personal data that assists both customers, shareholders, suppliers and employees within THE COMPANY:
PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
In the development, interpretation and application of the personal data protection law, THE COMPANY shall be subject to the following principles:
- Legality regarding data processing: Data processing in Colombia is a regulated activity, which must be subject to the provisions of these rules and other provisions that develop it. Therefore, the business processes and recipients of this regulation must be subject to the provisions herein.
- Purpose: The processing of data must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Data Subject in a concrete and precise manner.
- Temporary limitations to the Data Processing: Once the purpose of the Processing has been fulfilled, the COMPANY shall proceed to the deletion of the Personal Data. Notwithstanding the foregoing, THE COMPANY shall comply with all legal and contractual obligations regarding the Processing of Personal Data.
- Freedom: The processing of data can only be exercised with the prior, express and informed consent of the Data Subject. Therefore, personal data may not be obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that relieves the consent.
- Truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
- Transparency: In the processing of data, the right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed.
- Restricted access and circulation: Data processing is subject to the limits derived from the nature of the personal data and the limits established by law. Therefore, the processing may only be carried out by people authorized by the Data Subject and by other people authorized by law.
For these purposes, the obligation of THE COMPANY shall be a mean.
The data provided by the Holder may not be available on the Internet or other mass media, unless it is public information or access to such information is technically controllable to provide restricted knowledge only to the Holders or third parties authorized by law.
- Security: The information subject to processing by THE COMPANY shall be handled with the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Confidentiality: All the people who take part in the Processing of Personal Data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks included in the Processing, and may only supply or communicate Personal Data when it corresponds to the development of the activities authorized by law.
- Sensitive Data: THE COMPANY will not collect sensitive data, which are those that affect the privacy of the Data Subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data relating to health, sex life and biometric data.
RIGHTS OF DATA SUBJECTS
The rights of data subjects are:
- To know, update and rectify their personal data with respect to the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is prohibited or has not been authorized.
- To request proof of the authorization granted to the Data Controller, except when expressly exempted by law.
- To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been made of their personal data.
- To file complaints before the Superintendence of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and other rules that modify, add or supplement it.
- To revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or deletion will proceed when the Superintendence of Industry and Commerce has determined that in the Processing the Controller or the Processor has incurred in conduct contrary to the law and the Constitution.
- To access free of charge to their personal data that have been subject to processing.
To consult, know, update, rectify, delete or revoke any type of information, the Data Subject must submit a written request to the Controller or the person in charge of the processing of personal data, stating the reason for which he/she wishes to carry out any of the aforementioned procedures.
CASES IN WHICH THE COMPANY DOES NOT REQUIRE AUTHORIZATION FOR THE PROCESSING OF THE DATA IN ITS POSSESSION
The authorization of the Holder shall not be necessary in the case of:
- Information required by a public or administrative entity in the exercise of its legal functions or by court order;
- Data of a public nature, i.e., data that is not semi-private, private or sensitive and may be contained, among others, in public records and documents, official gazettes and bulletins and court rulings;
- Cases of medical or health emergency;
- Processing of information authorized by law for historical, statistical or scientific purposes; and
- Data related to the Civil Registry of people.
DUTIES OF THE DATA CONTROLLER TO THE DATA OWNERS
THE COMPANY, in its capacity as Data Controller, assumes the following duties, without prejudice to those others provided in the provisions that regulate or may come to regulate this matter:
- To guarantee the Data Subject, at all times, the full and effective exercise of the right of habeas data;
- To request and keep, under the conditions provided by law, a copy of the respective authorization granted by the Data Subject;
- To duly inform the Data Subject about the purpose of the collection and the rights he/she has by virtue of the authorization granted;
- To keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;
- To guarantee that the information provided to the Data Processor is truthful, complete, accurate, updated, verifiable and understandable;
- To update the information, communicating in a timely manner to the Data Processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided to it is kept up to date;
- To rectify the information when it is incorrect and communicate the pertinent to the Data Processor;
- To provide to the Data Processor, as the case may be, only data whose processing is previously authorized by law;
- To require the Data Processor at all times to respect the security and privacy conditions of the Data Subject's information;
- To process the queries and claims formulated in the terms provided by law;
- To adopt an internal manual of policies and procedures to ensure proper compliance with the law and especially for the attention of queries and claims.
- To inform the Data Controller when certain information is under discussion by the Data Subject, once the claim has been filed and the respective process has not been completed.
- To inform at the request of the Data Subject about the use given to his/her data.
- To inform the data protection authority when there are violations to the security codes and there are risks in the administration of the information of the Data Subject.
- To comply with the instructions and requirements given by the Superintendence of Industry and Commerce.
- To use only data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.
- To refrain from circulating information that is being disputed by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce;
- To allow access to the information only to the people who may have access to it.
- To use the personal data of the Holder only for those purposes for which it is duly authorized and respecting in any case the current regulations on protection of personal data.
DUTIES OF DATA PROCESSORS
Data Processors shall comply with the following duties, without prejudice to the other provisions of the law:
- To guarantee to the Data Subject, at all times, the full and effective exercise of the right of habeas data;
- To keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access;
- To timely update, rectification or deletion of data under the terms of Law 1581 of 2012;
- To update the information reported by the Data Controllers within five (5) business days from its receipt;
- To process the queries and claims formulated by the Holders under the terms set forth in this policy;
- To adopt an internal manual of policies and procedures to ensure proper compliance with Law 1581 of 2012 and, in particular, for the attention of queries and claims by the Data Holders;
- To register in the database the legend "complaint in process" in the manner regulated in this policy;
- To insert in the database the legend "information under judicial discussion" once notified by the competent authority about judicial processes related to the quality of the personal data;
- To refrain from circulating information that is being disputed by the Holder and whose blocking has been ordered by the Superintendence of Industry and Commerce;
- To allow access to information only to the people who can access it;
- To inform the Superintendence of Industry and Commerce when there are violations to the security codes and there are risks in the administration of the information of the Holders;
- To comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.
In the event that the qualities of Data Controller and Data Processor concur in the same person, the fulfillment of the duties foreseen for each of them shall be demandable.
TREATMENT TO WHICH THE DATA WILL BE SUBJECTED AND THE PURPOSE OF SUCH TREATMENT
The processing of personal data of employees, suppliers, customers, shareholders or any people with whom THE COMPANY has established or establishes a relationship, whether permanent or occasional, will be carried out within the legal framework that regulates the matter.
In any case, personal data may be collected and processed for:
- To send information related to products and other goods or services offered by THE COMPANY;
- The development of the object of THE COMPANY which consists of the scientific analysis of data;
- To comply with regulations applicable to shareholders, suppliers and contractors, including, but not limited to, tax and commercial regulations;
- To comply with the provisions of the Colombian labor and social security laws, among others, applicable to former employees, current employees and candidates for future employment;
- To fulfill all its contractual commitments.
SPECIFIC POLICIES FOR THE TREATMENT OF PERSONAL DATA.
The operations that constitute Processing of Personal Data by THE COMPANY, as Data Controller or Data Processor, shall be governed by the following provisions in accordance with the following stakeholders:
- Processing of data of employees and service providers of THE COMPANY
- Data processing during the contractual relationship:
THE COMPANY will store the personal data obtained during the selection process of the employees who are linked to it and those who aspire to provide services for it, after their authorization through text acceptance when filling out their data on the website, which refers to this policy. The use of this information for purposes other than those established in the respective apprenticeship or employment contract and the authorizations signed by employees and applicants is prohibited, and will only be admissible in cases where there is an order from a competent authority, whether judicial or administrative, among others, as long as it is empowered to request it. Therefore, it is a duty of THE COMPANY, and especially of the Responsible or Responsible for the Processing of Personal Data, to assess whether or not such authority is competent to request the information, in order to prevent the unauthorized transfer of Personal Data to third parties outside THE COMPANY. For the collection of sensitive data during the employment relationship, an express authorization of the Data Subject shall be required, different from the one contained in the employment contract and which must be contained in an attached document, it shall be informed which data are considered as sensitive, in accordance with the legal definition and the one contemplated in this Policy, in addition to informing the purpose of the same and what will be its treatment. In the event that THE COMPANY hires external services for the processing of data, the employee must within the express authorization for treatment by THE COMPANY, authorize the transfer of their data to that third party.
- Processing of Suppliers' Personal Data
THE COMPANY will only collect from its suppliers, the data that are necessary, relevant and useful, but not excessive, in order to select, evaluate and execute the obligations arising from each relationship. The collection of such data will be done through a supplier registration form, which will contain the authorization of the supplier, and will refer to this policy. This type of data will be collected for the fulfillment of the following purposes: i. Carrying out the different stages of the contract (Pre-contractual, contractual and post-contractual); ii. Those established in the corresponding contract and in the authorizations granted by the suppliers, when required; iii. Verification of the moral suitability and competence of the supplier and its employees.
- Processing of Customers' personal data
THE COMPANY will store the personal data of those who decide to hire the services of the same, obtained during the pre-contractual, contractual and post-contractual stage, through the authorization made when filling out their data on the website, which will make direct reference to this policy.
- Processing of Customers' personal data in the capacity of a data processor
THE COMPANY will store and process, as the person in charge, the personal data provided by the Clients as responsible for the segmentation, study, processing, classification and others. The processing of this data will be during the pre-contractual, contractual and post-contractual stage. The delivery of this data may be made through the execution of an Information Transmission Agreement, Business Alliance or any other private document that stipulates for the Client and the COMPANY their obligations regarding the holding, processing and custody of the personal information provided.
MODIFICATION TO POLICIES
THE COMPANY reserves the right to modify the Personal Data Protection Policy at any time. Any modification will be communicated in a timely manner to the Data Owners through the usual means of contact or via email email@example.com with fifteen (15) working days prior to its entry into force.
In case of disagreement for valid reasons and that constitute a fair cause with the new policies for handling Personal Data, the Data Subjects or their representatives may[b] request the COMPANY to withdraw their information through the e-mail firstname.lastname@example.org. However, the withdrawal of such information may not be requested while maintaining a link of any kind with the entity or due to a legal obligation.
INQUIRIES AND COMPLAINTS
The Data Subjects or their assignees may consult the personal information of the Data Subject contained in any database of the COMPANY. The Data Controller or Data Processor shall provide them with all the information contained in the individual record or that is linked to the identification of the Data Subject.
The consultation shall be made by the means enabled by the Data Controller or the Data Processor, provided that proof of such consultation can be kept.
The consultation will be answered within a maximum term of ten (10) working days from the date of receipt thereof. When it is not possible to answer the consultation within said term, the interested party shall be informed, stating the reasons for the delay and indicating the date on which the consultation will be answered, which in no case may exceed five (5) business days following the expiration of the first term.
The Data Controller of the Personal Data undergoing Processing or its assignees who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged breach of any of the duties contained in this policy and in the law, may file a complaint with the Data Controller or the Data Processor, which will be processed under the following rules:
- The claim shall be formulated by means of a request addressed to the Data Controller or the Data Processor, with the identification of the Data Subject, the description of the facts that give rise to the claim, the address, and accompanied by the documents that are to be asserted. If the claim is incomplete, the interested party will be required within five (5) days after receipt of the claim to correct the faults. After two (2) months from the date of the requirement, without the applicant submitting the required information, it will be understood that the claim has been abandoned.
In the event that the person who receives the claim is not competent to resolve it, he/she will transfer it to the corresponding person within a maximum term of two (2) business days and will inform the interested party of the situation.
- Once the completed claim has been received, a legend stating "claim in process" and the reason for the claim will be included in the database within two (2) business days. Said legend shall be maintained until the claim is decided.
- The maximum term to address the claim will be fifteen (15) working days from the day following the date of receipt. When it is not possible to address the claim within such term, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.
The Data Subject or assignee may only file a complaint before the Superintendence of Industry and Commerce once the consultation or complaint process has been exhausted before the Data Controller or the Data Processor.
INFORMATION SECURITY AND SECURITY MEASURES
In compliance with the security principle established in the regulations in force, THE COMPANY shall adopt the technical, human and administrative measures necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
9.1. Implementation of security measures
THE COMPANY shall implement and maintain security measures to be complied with by officers, customers, employees, suppliers, who have access to personal data and information systems.
These security measures will consist of:
• Inclusion in the employment contract of clauses that clearly and precisely establish the employee's obligation to guarantee adequate access to data and privacy of information.
• In the event of entering into a contract with any natural or legal people that requires the contractor to consult the databases managed by THE COMPANY, clauses must be included that clearly and expressly establish the use that the contractor must give to the personal information and the privacy of the information.
• THE COMPANY will require its employees to disclose the correct treatment to be given to personal data.
•Development and implementation of all procedures established in this manual and that are a consequence of the requirements contained in Law 1581 of 2012.
•Other technical and computer security measures deemed necessary by THE COMPANY for the proper use of the information and its privacy.
USE AND INTERNATIONAL TRANSFER OF PERSONAL DATA AND PERSONAL INFORMATION BY THE COMPANY
THE COMPANY, taking into account the nature of the permanent or occasional relationships that any people with personal data may have with the Company, may transfer and transmit, even internationally, all personal data, provided that the applicable legal requirements are met. Consequently, by accepting this policy, the Data Controllers expressly authorize the transfer and transmission, even internationally, of personal data. The data will be transferred for all relationships that may be established with THE COMPANY.
For the international transfer of personal data of the Data Controllers, THE COMPANY will take the necessary measures so that third parties are aware of and agree to comply with this policy, with the understanding that the personal information they receive may only be used for matters directly related to THE COMPANY and only while these last and may not be used or intended for a different purpose. For the international transfer of personal data, the provisions of Article 26 of Law 1581 of 2012 shall be observed.
THE COMPANY, may also exchange personal information with governmental or other public authorities (including, without limitation, judicial or administrative authorities, tax authorities and criminal, civil, administrative, disciplinary and fiscal investigative agencies), and third parties involved in civil legal proceedings and their accountants, auditors, attorneys and other advisors and representatives, because it is necessary or appropriate: (a) to comply with applicable laws, including laws other than those of your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, and to respond to requests from public and government authorities other than those of your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety or property, yours or others; and (g) to obtain any applicable indemnification or limit any damages that may be incurred by us.
In case of any concerns, doubts or complaints, the interested party may send their concerns to the e-mail [c] email@example.com or call +57 301 339 9435.
You can also send your concerns in physical form to the following address:
- Km 17 via las palmas, parque la reserva 4 piso. Envigado - Antioquia.
For the purposes of this policy, the following definitions shall apply:
- Authorization: Prior, express and informed consent of the Data Subject to carry out the processing of personal data.
- Database: Organized set of personal data that is the object of Processing.
- Personal data: Any information linked or that can be associated to one or several determined or determinable natural people.
- Data Processor: A natural or legal person, public or private, who by himself or in association with others, performs the Processing of personal data on behalf of the Data Controller.
- Data Controller: Natural or legal, public or private people, who by themselves or in association with others, decide on the database and/or the processing of the data.
- Holder: Natural people whose personal data are subject to processing.
- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
- Public data: It is that data qualified as such according to the mandates of the law or the Constitution. Public data includes, among others, data contained in public documents, enforceable court rulings that are not subject to confidentiality and data related to the civil status of people.
- Semi-private data: Semi-private data is data that is not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to its owner but also to a certain sector or group of people or to society in general, such as financial and credit data from commercial activities.
- Private data: Data that, due to its intimate or reserved nature, is only relevant to the owner.
- Sensitive data: data related to racial or ethnic origin, membership in trade unions, social or human rights organizations, political, religious, sex life, biometric or health data. This information may be provided by the Holder of this data.
- Privacy Notice: physical or electronic document generated by the Data Controller that is made available to the Data Subject with information regarding the existence of the information processing policy, which will be applicable. It also contains the way to access it and the characteristics of the treatment that is intended to be given to personal data.
LAW, JURISDICTION AND ENFORCEMENT
- Political Constitution of 1991, Article 15
- Law 1266 of 2008
- Law 1581 of 2012
- Regulatory Decree 1727 of 2009
- Regulatory Decree 2952 of 2010
- Decree 1377 of 2013
- Decree 886 of 2014
This policy is effective as of Q2, 2023.